NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX630E VLAN bug
Hello, I'm having issues with my 2 WAX630E units. VLANs are not working properly. Configuration: - Netgear MS510TXM Managed switch - 2 WAX630E AP, AP1 and AP2 - 2 VLANs: A & B - 2 SSID:...
This reads more like a firewall or filtering issue. Or are we facing some mDNS (Multicast DNS gateway) configuration on these WAX630E?
Hi, actually mDNS is disabled on both AP.
Regarding firewall, all traffic is allowed from VLAN A to VLAN B.
I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.
Regarding firewall, all traffic is allowed from VLAN A to VLAN B.
I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.
ToniRod wrote:
I'm facing the issue only when the printer and the laptop are connected to the same Access Point but with different VLAN SSID. Connecting them to two different Access Points, and still with different VLAN SSID works well, which suggests it's not a firewall issue.Two SSIDs. still two networks, two different VLANs, two different IP subnetworks. And the IPv4 traffic must flow over the firewall. What does Wireshark collect when attempting to access the printer Web UI from the laptop? Sure, there could be additional L3 or L2 issues prohibiting establishing a connection, e.g. on the WAX630E. Start capturing traffic, proof a ping will go through, then we can see what fails on establishing a TCP session.
- Thanks schumaku for the help.
Indeed, I've already captured the packets at 3 different points:
- client laptop
- access point
- switch by mirroring the port the access point is connected to
Something looks wrong to me.
I'm currently out for summer Holliday's. As soon as I'm back home within 3 weeks, I will share the packets capture. As promised, I'm sharing the traffic capture. Several scenarios to try to isolate the issue.
I've tried to interpret the results but not sure if I'm doing it properly. Any help is welcome.
TEST CASE 1: Ping OKLaptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch traffic
Laptop traffic capture
- file: 1.same-ap_ping-ok_client.pcapng
- We see the ICMP ping request and reply, VLAN unwareAP1 traffic capture
- file: 2_same-ap_ping_ok_ap.pcap
- We see the request leaving the AP1 on VLAN10 and entering on VLAN50
- We see the response leaving the AP1 on VLAN50 and entering on VLAN10Switch traffic capture
- file: 3_same-ap_ping-ok_switch.pcapng
- traffic is consistent with the laptop and AP1 capture
TEST CASE 2: HTTP KO
- Laptop (VLAN unaware) connected to SSID on VLAN10 on AP1
- Printer connected to SSID on VLAN50 on AP1
- AP1 connected to VLAN aware switch on port 4
- Switch connected to FW allowing all traffic (for diagnostics purpose) from VLAN10 to VLAN50
- Port 4 mirrored to port 6, connected to another laptop to capture switch trafficLaptop traffic capture
- file: 1_same-ap_http-ko_client.pcapng
- The handshake seems to happen but there are unexpeted SYN/ACK received by the client and the TCP connection gets resetAP traffic capture
- file: 2_same-ap_http-ko_ap.pcap
- The handshake begins but there is an issue with the ACK. It leaves the AP1 on VLAN10 but never enters the AP1 on VLAN50
- I believe the printer never receiver the ACK and then resent SYN/ACK.
- This suggest at this time an issue with the FW / RouterSwitch traffic capture
- file: 3_same-ap_http-ko_switch.pcapng
- The handshake begins and actually ends. We see the ACK on VLAN10 comming from the AP1 and we see the ACK on VLAN50 going to the AP1
- Which now suggest the AP1 is dropping the ACK entering the AP1 on VLAN50
- Strange also, the AP1 sends to the switch ACK with wrong VLAN/MAC pairs (frame no 11). To be sure those comes from the AP1, I've captured the traffic on port 4 of the switch configured as RX (ingress) onlyZip file with the capture: https://drive.google.com/file/d/1lbJEulcTv0t6qEz4cM5OGYY--HI4lA4C/view?usp=sharing
Thanks for the help.
Some feed-back from Netgear support.
First, Netgear support tried to reproduce the bug with a 610Y access point.
They couldn't reproduce it.
Then, Netgear support was able to reproduce the bug on the WAX630E and it was raised to the development team.
I was then told the bug is known since several months, but not fixed yet.
In summary, for the time being, VLAN capability doesn't work on the WAX630E.
Hope it get fixed fast, otherwise I will have to change the access points and try to get a refund from Netgear.
Thanks for those who tried to help in this.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
